Personally, I know very few people who disable JavaScript in their browsers, simply because that would make even the simplest web-based applications useless. Many people use online email clients, e-banking systems, and other web-based applications, all of which have to use some dose of JavaScript for functioning properly and offering a suitable post-web-1.0 user experience. That's a fact.

In 99.9% of all web applications, the data resides on the server, which means that the server-side code must ideally be properly secured against all types of attacks (SQL injection, XSS, and more at OWASP). In the case of XSS attacks, the goal is not always to hack the data (which we can properly secure 100%), but often to sort of hack the way information is displayed on the screen. When a web application is displayed within a frame/iframe of another malevolent web application, there is little one can do to prevent that, except using the newcoming antiphishing tools provided by browser vendors et al.

Using new technologies automatically implies taking more risks. At the end of the day, people committing to use new technologies or new arangements of old technologies (like Ajax) are implicitely taking those risks and must do so in all awareness. Due to the openness of the web (which is its greatest strength as well as its greatest threat), the only thing we can really rely on is the user awareness of the risks they are taking. User must be made aware of the risks they are taking and they must be given the option of going down that path or not. As JavaScript developers and server-side developers, all you can really do is to secure your code as much as you can and inform your user base about the potential risks. [ July 25, 2007: Message edited by: Valentin Crettaz ]

I personally think the risks of using JavaScript are overblown and poorly understood. Interestingly, in our consultancy we saw large companies adopting heavy JavaScript use far quicker than public websites (like Amazon.com and CNN.com and such). The main reason for this is that the benefits appear to far outweigh the risks - but in a public web, you have less control over what people have turned on in their browsers.

And whether you actually USE JavasScript in your application or not does not actually increase or reduce these risks (like XSS for example). What mitigates risks is whether users will have JavaScript turned off in their browser altogether - something you can't control anyway. So you might as well use JavaScript to improve your users experience.

That's a rather fatalistic view of it. In the real world there are relatively few opportunities to employ things like XSS for profit - so it doesn't happen very often at all.

I think that the majority of users have JavaScript enabled and most websites require it. It is, however, a good idea to use degradable Ajax for those that don't have JavaScript enabled - though I would not bend over backwards to achieve this in all cases!

As for the reason that people might turn off JavaScript, there are a few easy steps that one can take to prevent the majority of attacks like XSS or CSRF that might take advantage of JavaScript in the browser. In particular positive filtering and unique key generation on form submits are the most important techniques to remember.

Valentin Crettaz
Gold Digger
Sheriff

Joined: Aug 26, 2001
Posts: 7610

posted Jul 27, 2007 03:05:00

0

That's a rather fatalistic view of it. In the real world there are relatively few opportunities to employ things like XSS for profit - so it doesn't happen very often at all.

I don't agree. There are countless records of such examples. And the phenomenon is just taking off.

"Phishing exposed" published by Syngress is just one of many books (+ countless articles) on this subject. Lance James shows very concrete examples of how to take advantage of vulnerable e-banking websites.

Plus another very handy tool called XSS-proxy shows very well how easy it is to set up XSS attacks in a completely transparent way for users. [ July 27, 2007: Message edited by: Valentin Crettaz ]